Internet of Things (IoT) is a large-ubiquitous system that includes vast quantities of connected smart-objects (e.g., sensors, actuators). It is a crucial requirement to ensure the cyber-security of IoTs to permit their deployment in real-life applications. Key exchange and management is a foundation security service for IoTs, since it enables the distribution of cryptographic keys in IoT devices.
With IoT, low-end devices such as medical implantables, wearable devices, and various sensors generate large amounts of highly sensitive data (e.g., medical, financial and forensic) that are maintained and audited by cloud services. It is important to ensure the security of sensitive data, wherein such IoT devices and cloud systems are under the threat of active adversaries with improved capabilities (e.g., quantum computing). One may consider using breach-resilient public key based cryptographic techniques with post-quantum security (e.g., lattice-based forward secure signature and encryption) to achieve scalable services with non-repudiation property. However, these techniques are extremely costly and currently impractical for IoT devices. Hence, there is a significant need for developing cryptographic mechanisms with extended properties that can achieve scalability and non-repudiation in a highly efficient manner.
There are two main lines of cryptographic protection techniques.
Symmetric Cryptography Based Primitives:
In one line, several symmetric cryptography based audit techniques have been proposed [19, 22, 34, 43, 44]. These techniques mainly rely on Message Authentication Codes [7], hash chains [29], and Merkle-hash trees [39]. A common system architecture in these schemes is that, the sender (a.k.a., the signer and/or encryptor) share a symmetric key with a trusted server, and uploads cryptographically secure audit logs to this trusted server. This server acts as an auditor and verifies the authenticity of log entries by using the secret keys shared with the senders.
Many of these techniques are near-optimal efficient in terms of computation and communication overhead due to their reliance on highly efficient symmetric primitives. Some of these techniques also achieve sender-side compromise resiliency via an implementation of forward-secure symmetric MACs with hash-chains [34]. Some of these techniques can also offer “all-or-nothing” features, wherein an adversary cannot selectively delete log entries from a log trail without being detected. Moreover, these techniques can achieve a post-quantum security, since they rely on symmetric primitives [1].
However, the symmetric cryptography based techniques have the following drawbacks: (i) They cannot achieve non-repudiation and public verifiability, since the verifier shares the same key with senders. That is, the verifier can easily generate an authentication tag on behalf of any sender of its choice, since it has all the shared keys. The lack of non-repudiation is a significant drawback for many applications (e.g., healthcare, financial, and lawsuits) that need a dispute resolution mechanism. Non-repudiation also alleviates the liability on verifiers, since they cannot be accused of creating fake authentication tags. (ii) The direct application of these techniques to auditing might create vulnerabilities against active adversaries. Specifically, if the verifier is compromised by an active adversary (e.g., a malware or insider collusion), the security of all senders, with whom the verifier shares symmetric keys, are also compromised. (iii) The symmetric key based methods are not scalable for large-distributed systems. Therefore, these techniques are generally coupled with Public Key Cryptography (PKC) for key distribution, management, and authentication purposes.
Public Key Cryptography Based Primitives:
In another line, public key cryptography based auditing techniques have been proposed (e.g., [3, 23, 27, 35, 36, 46, 48]). These schemes are mainly based on digital signatures [7], which can guarantee public verifiability and non-repudiation properties. Moreover, because they rely on public keys for verification, they by default achieve verifier compromise resiliency and availability (anybody can verify the logs without relying on a trusted party). Many of these schemes (e.g., [33]) either adapt or create new forward-secure (e.g., [2]) and/or aggregate signature schemes [12] to offer sender-side compromise-resiliency and compactness. The signature aggregation offers an added benefit of append-only feature, wherein one can only add to a trail of audit logs, but cannot selectively delete from it without being detected. There are also recently emerging PKC schemes with post-quantum security assurances for broader use cases, which include encryption and digital signatures (e.g., [9, 13, 14, 42].
Despite their merits, public key based techniques have the following drawbacks: (i) All these techniques rely on highly costly operations such as exponentiations, cryptographic pairing, and elliptic curve scalar multiplications for per item to be signed or verified. While some schemes are efficient for either sender or verifier side, in general they are several orders of magnitude costlier than their symmetric key counterparts. (ii) Their key and signature sizes are significantly larger than that of symmetric cryptography based counterparts. (iii) All these alternatives rely on either factorization based or discrete logarithm based primitives, and therefore cannot offer a post-quantum security. (iv) A potential post-quantum secure variants of such forward-secure and/or aggregate schemes are potentially even more costly in terms of key and signature sizes than their traditional counterparts.
There is a need to have sender optimal (symmetric) cryptographic schemes that are compromise-resilient, compact, post-quantum secure, and achieve non-repudiation and breach-resiliency at the verifier side.